Reviewing Russian cyber campaigns in the war against Ukraine. Ukraine's IT Army is a complex phenomenon. Take ICEFALL seriously. CISA has updated its cloud security guidance.
Dave Bittner: Reviewing Russian cyber campaigns in the war against Ukraine and the complexity of Ukraine's IT army. We've got advice and reactions to ICEFALL. Carole Theriault looks at Hollywood's relationship with VPNs. Robert M. Lee from Dragos provides a rundown on Pipedream. And CISA updates its cloud security technical reference architecture.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 23, 2022.
Reviewing Russian cyber campaigns in the war against Ukraine.
Dave Bittner: Microsoft yesterday published a long report titled "Defending Ukraine: Early Lessons from the Cyber War," in which Redmond describes what it's observed so far. The result that's been most widely reported is a significant increase in Russian cyber espionage directed against countries regarded as either friendly to Ukraine or of dubious adherence to the Russian cause. In all, Microsoft tallies 128 organizations in 42 countries as subjected to Russian cyber espionage. The target list was concentrated on government agencies, but it also included think tanks, humanitarian groups and critical infrastructure providers. The appearance of humanitarian groups seems particularly telling. By their enemies as well as their works shall ye know them, we guess.
Dave Bittner: Microsoft is concerned to set the cyber phases of Russia's hybrid war into historical context. The company's chair and president, Brad Smith, writes in his blog post introducing the report, while no one can predict how long this war will last, it's already apparent that it reflects a trend witnessed in other major conflicts over the past two centuries. Countries wage wars using the latest technology, and the wars themselves accelerate technological change. It's therefore important to continually assess the impact of the war on the development and use of technology. The Russian invasion relies in part on a cyber strategy that includes at least three distinct and sometimes coordinated efforts - destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine and cyber influence operations targeting people around the world.
Dave Bittner: Smith argues that Russia's war against Ukraine should motivate governments, corporations and NGOs to develop effective alliances capable of responding to further aggression along Russian lines. He also warns that influence operations have played a significant part in Russia's cyber campaigns, and he cautions against letting the apparent ineffectuality of Russian cyberattacks against Ukraine, which fell far short of consensus expectations, lull anyone into a false sense of security.
Ukraine's IT Army is a complex phenomenon.
Dave Bittner: The IT army that Kyiv has summoned to its cause has generally received favorable press in the West although its activities have tended to be dismissed as nuisance-level website defacements and distributed denial of service attacks. A study by the Zurich-based Center for Security Studies titled "The IT Army of Ukraine: Structure, Tasking, and Ecosystem," argues that the EU in particular has failed to take proper stock of the IT army and specifically of its implications for international norms. The group is far from being just some gaggle of hacktivist randos totaling about a thousand hackerweight mucking around with electronic signs. The study sees the origins of the IT army of Ukraine in years of consideration of lessons to be learned from the success of the Estonian Defense League's Cyber Unit and other efforts around the globe to organize, incorporate and surge civilian IT volunteers into existing military structures in times of need. Those efforts have generally been defensive in nature and grew in a relatively controlled and systematic way. Whatever thought Ukraine devoted to the problem in pre-war days, the IT army itself seems a wartime improvisation stood up in an ad hoc manner without a clearly structured and proven plan. It appears to have emerged as a surrogate for a Ukrainian military cyber command, the study argues. But for all that, it's been intelligently assembled and used with greater effect than has been generally appreciated. Borne out of necessity, the IT army subsequently evolved into a hybrid construct that is neither civilian nor military, neither public nor private, neither local nor international and neither lawful nor unlawful.
Dave Bittner: It differs in one significant respect from the earlier Estonian model. From the outset, the IT army has been encouraged to conduct cyber offensive operations against Russian targets. It has two distinct aspects - first, a continuous global call to action that mobilizes anyone willing to participate in coordinated DDoS attacks against designated Russian infrastructure targets - these are primarily civilian; second, an in-house team likely consisting of Ukrainian defense and intelligence personnel that have been experimenting with and conducting evermore complex cyber operations against specific Russian targets. Both parts of the IT army are purely offensive in nature and serve to bring willing amateurs and dedicated professionals into one, most likely, hierarchical organizational structure. It's also attracted significant support from private sector companies in IT and cybersecurity, both in Ukraine and abroad.
Dave Bittner: The report concludes the IT army of Ukraine is a unique and smart construct whose organizational setup and operational impact will likely inform the art of cyber and information warfare in future conflicts. On the public side, the IT army serves as a vessel that allows the Ukrainian government to utilize volunteers from around the world in its persistent DDoS activities against Russian government and company websites. As of 7 June 2022, this includes 662 targets. On the non-public side, the IT army's in-house team likely maintains deep links to, or largely consists of, the Ukrainian defense and intelligence services. The report warns that this kind of organization is unfamiliar, especially to NATO's European members, and that it represents a challenge to international norms of conduct in cyberspace.
Dave Bittner: That final caution seems overstated. International law requires that armed conflict be waged by competent authority and by personnel who operate under that authority's control. The IT army seems, by the study's own account, to do both. The laws of armed conflict, which are being gradually extended into cyberspace, also requires that military operations be both discriminating, protective of civilians and proportionate, not productive, of excessive damage. There are no signs that the IT army is guilty of either, although one might wonder about operations against civilian websites. That the IT army represents an unfamiliar kind of organization seems, nonetheless, to be correct and to warrant further study.
ICEFALL advice and reactions.
Dave Bittner: CISA, yesterday, noted Forescout's report of the widespread industrial control system vulnerabilities the researchers call, collectively, ICEFALL, and CISA has advised attention to the Forescout report and the mitigation recommendations it contains. CISA also pointed out that five of its recent alerts address issues associated with ICEFALL and its advisory quotes Forescout's primly censorious characterization of the vulnerabilities as representing insecurity by design. SecurityWeek has a round-up of industry comments on ICEFALL. In general, the experts aren't surprised that vulnerabilities of this kind were found, and they're in agreement that ICEFALL is to be taken seriously and the available remediations applied.
CISA issues an updated version of its Cloud Security Technical Reference Architecture.
Dave Bittner: This morning, the U.S. Cybersecurity and Infrastructure Security Agency issued version 2.0 of its Cloud Security Technical Reference Architecture. The document singles out two efforts for particular attention - the familiar Federal Risk and Authorization Management Program - that's FedRAMP - in place since 2011 and a more recent program, the Cloud Smart Initiative, which succeeded the Federal Cloud Computing Strategy, Cloud First. Cloud Smart emphasizes the three pillars of security, procurement and workforce. While the document is addressed primarily at the U.S. federal agencies whose security CISA oversees, others will find its recommendations of interest, especially if they do business with the U.S. government. VPNs are a common and established tool for those looking to secure their online activity. And like most tools, VPNs can be put to good use or bad. Carole Theriault joins us with details on the growing tension between VPN providers and the entertainment industry.
Carole Theriault: So VPNs - a controversial topic, it seems. I mean, VPNs generally claim to improve privacy by encrypting online activity and rerouting it through a company's servers, basically concealing the user's IP address. And typical reasons someone might want to employ a VPN could be to keep stuff private while surfing on a public Wi-Fi, to keep your stuff private from your own internet service provider or from other apps and services that you use, to better protect your sensitive work files or to access any content, as a VPN can be particularly useful workaround to content restrictions. And this last point continues to cause a furore down in Hollywood.
Carole Theriault: A group of over two dozen film studios has repeatedly taken popular VPN providers to court, sometimes extracting judgments worth millions of dollars in damages. Indeed, according to Wired, filmmakers say they have clear-cut evidence that their customers are abusing the privacy and security provided by virtual private networks. But last month, court records show that some studios' legal teams have also accused VPN providers of enabling illegal activity beyond copyright infringement. And it seems that these studios might actually be challenging the notion that VPNs should exist at all.
Carole Theriault: The gist of this argument seems to be in the blatant way that certain VPNs communicate with their audiences. For example, there are no-log VPNs. And no-log VPNs basically advertise that they keep no logs on any of your activity. So if someone shows up with a warrant asking to see said logs, they say we don't have them. Now, it sounds like only criminals would use no-log VPNs, but indeed there are a lot of security-conscious people out there who don't necessarily trust their VPNs with all their information of where they go and what they do on their computer. So this may be a very good option for them.
Carole Theriault: And back to the studio lawsuit - they seem to intimate that not only do some of these no-log VPNs refuse to prevent their services from being used to commit illegal acts, like streaming from a nonsupported region or sharing user accounts, but there are also reports that some of these no-log open VPNs openly boast in marketing campaigns that law enforcement is unable to extract any information about their users. I am sure there are people out there using VPNs and other jiggery-pokery to stream unavailable content or content that requires payment, and they're doing it for free. And no wonder the studios are feeling the heat - they, too, suffered through the pandemic. And while it seems a large number of streaming providers, such as Amazon Prime and Netflix, did very well while we were stuck at home, they have recently hit a slump during the first quarter of this year.
Carole Theriault: But for me, it's kind of hard to feel sorry for Hollywood studios in this last quarter. I mean, consider that folk have had to rethink their spending in order to cover inflations on basics like food, gas and bills. Many people need to save a few pennies by quitting a few of the streaming services they may have signed up to during the pandemic. After all, many of them have now been mandated to go back to work and are working full-time jobs. But what really bugs me is that the right to privacy is under threat from many, many different sides. And maybe Hollywood fat cats and their shareholders don't need to chink away at privacy just because their pockets aren't as overflowing as they were during the pandemic. And besides, Microsoft is apparently banking on its free built-in VPN to get you to use Microsoft Edge. I'm not sure I'd call Microsoft the scourge of the earth. This was Carole Theriault for the CyberWire.
Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back. I want to touch base with you today about everything going on with PIPEDREAM, this ICS-focused malware that you and your colleagues have had a hand in the discovery of. But I think there's a lot to the story here. Where's a good place to start?
Robert M Lee: Yeah, I would just give a background for folks to say that when you look at industrial control system-focused attacks, most of what we worry about on a day-to-day basis is the abuse of native functionality. It's not about some malware. It's not about some vulnerability. Actually, vulnerabilities tend to be a very system-based view of the world. And in the world of industrial, it's systems of systems and physics. So it's less about what can you do to one system. It's much more about, do you know how to operate a circuit breaker? Do you know how to operate a gas turbine? Do you know how to operate these different systems of systems that we have? And if so, you can abuse that functionality to do disruptive effects.
Robert M Lee: But every now and then, you actually get ICS-focused malware. And they largely so far have come in kind of two flavors. One is access - BlackEnergy 2 is a great example of that. It had exploits for internet-facing human machine interfaces basically being able to get access to these industrial environments. It, in of itself, couldn't disrupt or destroy anything, but it could help you get access. But then you also have the disruptive and destructive type capabilities, right? We've had Stuxnet, we had Crashoverride/Industroyer, there's Industroyer 2, TRISIS; these ones are deployed to do something disruptive or destructive. And across all of those cases and across all of the kind (ph) that we have, there's only been six publicly known ICS malware tool sets, and most of them are really victim specific. And you're really not going to use it somewhere else. The playbook that they've now shown, the tradecraft that they've shown, can be picked up by other people. But you're not just going to dropship it into another environment. TRISIS, as an example, worked against that petrochemical environment with that safety system. The things they exposed, anybody can now copy their playbook, but you're not going to see TRISIS, in its current form, deployed somewhere else.
Robert M Lee: And that brings us to PIPEDREAM. So PIPEDREAM is, in my opinion - I hate this whole, like, who's the best, you know, what's the most sophisticated malware? I don't like any of that measuring contest crap. It doesn't matter. But what we can candidly say is PIPEDREAM is the most flexible of the ICS capabilities we've seen. So anything new - right? - the seventh ICS malware framework is going to be big news anyways, but the fact that it can go against such a wide variety of industries and equipment makes it particularly dangerous. And what's probably most interesting to people around the world is we were able to get this information out to people and analyze it before the adversary employed it on its target. It's not saying they haven't deployed anywhere in the world. It's not like it's not out there somewhere, but it wasn't employed against their actual targets.
Robert M Lee: And I'll pause there for a second, but in our view, in our assessment, this was a capability designed to be disruptive, if not destructive, against a set of initial targets and then capabilities beyond that. What I mean by that is this looks like they were going to deploy it against U.S.-based energy assets, specifically in the liquid natural gas space, both electric and gas community. I mean, I honestly think that they were going to use this. And when you talk about attacks on U.S. infrastructure in a reliable way, I mean, that's something - there's many people out there that were like, oh, we're not going to get attacked. We're not at war, blah, blah, blah. And I was like, yeah, the adversary gets a vote in that, you know? And this was very, very bold and brazen.
Robert M Lee: So we're fortunate we found it beforehand, but there's no fix to it. It's not like there's a vulnerability they're exploiting. It's not like there's something that you can just go patch and fix. They're doing all the things we've been warning about for years, using Modbus TCP, a very common ICS protocol, using OPC, a very common ICS protocol, exploiting CODIS' functionality, which is software in just hundreds of different controllers out there. So it's one of those capabilities that if I was building an ICS security program from scratch and you just modeled out this scenario and protected yourself against it from protection, detection and response mechanisms, you would have a world-class program. Like, this is a very capable framework.
Dave Bittner: I think there's been a lot of attention to the fact that your team and some other teams, folks at Mandiant, as well as your team at Dragos, were proactive on this, were able to, as you mentioned, you know, have the detection before it was deployed. You know, you went so far as to take the stage and kind of give these threat actors, you know, a bit of the Riot Act about their capabilities. And you draw some attention to that. I mean, there was attention on you because of that.
Robert M Lee: Yeah.
Dave Bittner: Why take that approach? Is that putting a target on your own back?
Robert M Lee: Probably. And so, look, I don't think anybody's above critique or approach. And so I'm happy to have anybody try to critique me, and I may need it in my statements and actions. Why - I think you're alluding to my response on Twitter to my keynote. What I kind of push back on is there were people that weren't in my talk that were then tweeting at me about their opinions of what they perceived to be my stance. And so first, I was saying, hey, guys. Watch the video or watch the talk before you come at me. And No. 2...
Dave Bittner: Right.
Robert M Lee: You know, and I don't mean this in any arrogant way. I don't mean this to be braggadocious. I don't mean this to be a jerk. But I have been on the offense for this country. I have been on the defense. I've built the ICS discovery mission for the government. I run the largest ICS security company in the world right now over at Dragos. I'm not saying I'm right, but I think I have experienced enough to make the statements that I make. And for people who are like, Rob, it's bad that you're poking the adversary, guys, I've been there, done that. You may not agree with me, but I'm precise with my words, and I know what I'm saying.
Robert M Lee: And so why did I say that, right? At the end of the talk, I put down the adversary. Why? To me, this community - and I love them to death. And there's plenty of reasons to do it. Don't get me wrong. But this community builds up adversaries to almost hero worship to a fact - to a side, for me, that feels disgusting. We're so happy to talk about, oh, this is the most sophisticated group, and, oh, these people were amazing. Did you look at this cool hack that they pulled off? Or, let's memorialize them with statues at RSA for the various threat groups that they represent and all this crap.
Robert M Lee: And it's honestly kind of disgusting to me personally because having been on that side of the world and having been in the intel community, I know for a fact many of the developers and operators of these campaigns just absolutely revel in that. It's a glorification. It's, hey; did you see the latest report they were writing about our team? Look how great and wonderful we are, etc., etc., etc.
Robert M Lee: So my intent was to kind of return a little bit of normalcy and say, you know what? As a member of the industrial community out to the adversaries here, I just wanted to let you know we don't think you're clever. We don't think you're cool. You're going after civilian targets and civilian people, and you should feel bad. You should be fired for your incompetent approach to this. And I think they ought to be reminded every now and then that they're not as important or as cool as people make them out to be. They're jerks trying to hurt people. And in any world, in any country, in any reality, I hope all of us can agree that civilians should be off limits.
Dave Bittner: All right. Robert M. Lee, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.